Almost Half of Top Websites are Vulnerable to Cyberattacks

Large numbers of websites are either using software that opens them up to cyberattack, or have already been compromised in some way, claims new report.

Trust can be an expensive luxury, as many an enterprise has discovered over the years, and as a new report has made very clear indeed.

An impressive 42 per cent of the top 100,000 websites on the web are using software that leaves them vulnerable to cyberattack, or have already been compromised, according to the new report. Of course, using trusted intermediaries to deliver malware or provide a means of access is far from a new technique, but the business of vetting and controlling digital assets is growing exponentially complicated.

The average website connects to 25 background sites or services in order to deliver content, from video clips, Content Delivery Networks, advertisements, plugins and trackers, the third annual State of the Web Report from Menlo Security points out. Monitoring this range of third parties for signs of compromise or unusual behaviour is beyond most enterprise security administrators.

Just one recent example is the use of legitimate ad units running Doubleclick to deliver malvertising and unwanted Java-based Monero mining software, running in users’ browsers. The report also found that categorising sites for white or blacklisting efforts is almost completely ineffective, with sites in the "Business and Economy" category experiencing the most security incidents in the last year, and hosting more phishing sites and - worst of all - containing more sites running vulnerable software, such as PHP 5.3.3, than any other category—including "Gambling."

The prevalence of outdated software was considerable, with more than 32,000 of the sites studied relying on Microsoft IIS 7.5, which was released in 2009. Some were even running Microsoft’s Internet Information Services (IIS) 5, released in 2000, and reaching “mainstream support end” in 2005.

Another interesting discovery in the report is that categorisation is itself somewhat flexible, with sites transitioning between trusted and untrusted categories regularly. In the course of one month, researchers observed nearly 1,000 sites that were re-categorized at least once by a web security firm, with one website that had been assigned to the Phishing and Other Frauds category briefly being re-assigned to Business and Economy, Shopping, Travel.

Overall, around 49 per cent of "News and Media" sites were considered risky, as were 45 per cent of "Entertainment and Arts" sites, and 41 per cent of "Travel" sites, the report found.

“This report confirms what most CISO’s already know: that a false sense of security is a dangerous thing when using the web,” says Amir Ben-Efraim, CEO of Menlo Security. “Despite website operators' best efforts, cyber-criminals can now exploit widespread vulnerabilities to compromise even the most trusted brands on the web."

The difficulties in filtering out malicious domains is becoming increasingly challenging, with phishing sites adopting increasing levels of respectability. Some 4,600 phishing websites found in the report use legitimate hosting services to avoid detection, the report noted - with it often being easier for attackers to set up a subdomain on a legitimate hosting service than to use other alternatives, and these domains are often whitelisted by companies.

Meanwhile, typosquatting remains an active avenue for attackers, with 19 per cent of categorized typosquatting sites were found in trusted categories, such as financial services and news and media. High Tech Bridge’s free Trademark Monitoring Radar has checked more than 148 million sites to date, testing for malicious domain activities such as cybersquatting, typosquatting and phishing. The most targeted brands will come as no surprise - Google, PayPal, Facebook, Yahoo and Amazon - but the sheer volumes are a source of concern. Google alone has 204,746 malicious TLD sites targeting it, and 379 .com TLDs.

‘Don’t trust - test’ might be the best takeaway for enterprise here…

Mark Mayne Mark Mayne has covered the security industry for more than 15 years, editing news for SC Magazine and editing SecurityVibes UK. Mark has a background in national news journalism and tech reporting, and has run b2b and b2c editorial sites.